A company wants to prevent AWS CloudFormation stacks from deploying IAM resources that include an inline policy or a statement with "*", and to prohibit deployment of Amazon EC2 instances with public IP addresses. The company has AWS Control Tower enabled in its AWS Organizations organization. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or "*"..
Why this is the answer
AWS Control Tower proactive controls are implemented using AWS CloudFormation hooks. These hooks run before a resource is provisioned, allowing them to prevent the deployment of non-compliant resources, such as EC2 instances with public IPs or IAM policies with broad permissions (like or inline policies). This directly addresses the requirement to block deployment. Detective controls, on the other hand, identify non-compliant resources after they have been deployed, which doesn't prevent deployment. AWS Config monitors for compliance but doesn't inherently block deployment; deleting resources post-deployment is reactive, not preventative. Service Control Policies (SCPs) can restrict actions but are typically used for broader organizational governance and might not offer the granular, pre-deployment blocking capability needed for specific CloudFormation resource attributes.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed